Trivy on daily basis only #535
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
jobs: | |
shared: | |
uses: pantos-io/ci-workflows/.github/workflows/python-ci.yml@v1 | |
secrets: inherit | |
docker-build: | |
name: Build Docker images | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: ['amd64'] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
azure.archive.ubuntu.com:80 | |
deb.debian.org:80 | |
esm.ubuntu.com:443 | |
files.pythonhosted.org:443 | |
ghcr.io:443 | |
github.com:443 | |
index.docker.io:443 | |
motd.ubuntu.com:443 | |
packages.microsoft.com:443 | |
pkg-containers.githubusercontent.com:443 | |
production.cloudflare.docker.com:443 | |
pypi.org:443 | |
registry-1.docker.io:443 | |
repo.anaconda.com:443 | |
- uses: actions/checkout@v4 | |
- uses: actions/checkout@v4 | |
with: | |
repository: pantos-io/ethereum-contracts | |
path: ethereum-contracts | |
sparse-checkout: | | |
Makefile | |
docker-compose.yml | |
- name: Create local signer_key | |
run: | | |
ssh-keygen -t ed25519 -f signer_key.pem -N '' | |
chmod 777 signer_key.pem | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
id: buildx | |
- name: Cache Docker layers | |
uses: actions/cache@v4 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-v1.0-service-node-${{ matrix.arch}}-${{ github.ref_name }} | |
restore-keys: | | |
${{ runner.os }}-buildx-v1.0-service-node-${{ matrix.arch}}- | |
- name: Check docker config and disable live reload | |
run: | | |
cat /etc/docker/daemon.json | |
echo '{ "live-restore": false }' | sudo tee /etc/docker/daemon.json | |
sudo systemctl reload docker | |
make check-swarm-init | |
- name: Run Docker | |
run: | | |
make docker-local | |
working-directory: ethereum-contracts | |
env: | |
DOCKER_TAG: "development" | |
- name: Ensure ethereum-contracts is accessible | |
run: | | |
for port in 8511 8510; do | |
echo "Checking availability of http://localhost:$port..." | |
for i in {1..30}; do | |
if curl -s --max-time 5 http://localhost:$port/ -X POST -H "Content-Type: application/json" --data '{"method":"eth_blockNumber","params":[],"id":1,"jsonrpc":"2.0"}'; then | |
echo " ... http://localhost:$port is accessible." | |
break | |
else | |
echo "http://localhost:$port is not accessible. Retrying in 10 seconds..." | |
sleep 10 | |
fi | |
done | |
done | |
working-directory: ethereum-contracts | |
- name: Build and load | |
run: | | |
mkdir export | |
make docker-build ARGS='--set "*.cache-from=type=local,src=/tmp/.buildx-cache" \ | |
--set "*.cache-to=type=local,dest=/tmp/.buildx-cache-new" \ | |
--set "*.platform=linux/${{ matrix.arch }}" \ | |
--builder ${{ steps.buildx.outputs.name }} \ | |
--set "app.output=type=tar,dest=export/app.tar" \ | |
--set "worker.output=type=tar,dest=export/worker.tar"' | |
- name: Test image | |
timeout-minutes: ${{ matrix.arch == 'amd64' && 10 || 30 }} | |
run: | | |
make docker | |
- name: Dump service node logs | |
if: always() | |
run: | | |
timeout 1 make docker-logs || true | |
- name: Tear down | |
run: | | |
make docker-remove | |
- name: Dump ethereum contract logs | |
if: always() | |
run: | | |
timeout 1 make docker-logs || true | |
working-directory: ethereum-contracts | |
- name: Move cache | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
- name: Upload artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: docker-images-${{ matrix.arch }} | |
path: export | |
retention-days: 1 | |
build: | |
uses: ./.github/workflows/build.yml | |
install: | |
needs: [build] | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: | |
- ubuntu-20.04 | |
- ubuntu-22.04 | |
# TODO: Fix the installation on ubuntu-24.04 | |
# - ubuntu-24.04 | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/checkout@v4 | |
with: | |
repository: pantos-io/ethereum-contracts | |
path: ethereum-contracts | |
sparse-checkout: | | |
Makefile | |
docker-compose.yml | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
id: buildx | |
- name: Check docker config and disable live reload | |
run: | | |
cat /etc/docker/daemon.json | |
echo '{ "live-restore": false }' | sudo tee /etc/docker/daemon.json | |
sudo systemctl reload docker | |
make check-swarm-init | |
- name: Run Docker | |
run: | | |
make docker-local | |
working-directory: ethereum-contracts | |
env: | |
DOCKER_TAG: "development" | |
- name: Ensure ethereum-contracts is accessible | |
run: | | |
for port in 8511 8510; do | |
echo "Checking availability of http://localhost:$port..." | |
for i in {1..30}; do | |
if curl -s --max-time 5 http://localhost:$port/ -X POST -H "Content-Type: application/json" --data '{"method":"eth_blockNumber","params":[],"id":1,"jsonrpc":"2.0"}'; then | |
echo " ... http://localhost:$port is accessible." | |
break | |
else | |
echo "http://localhost:$port is not accessible. Retrying in 10 seconds..." | |
sleep 10 | |
fi | |
done | |
done | |
working-directory: ethereum-contracts | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: build-amd64 | |
path: build | |
- name: Preconfigure package | |
run: | | |
echo 'pantos-service-node-full pantos/service-node/create_signer_key boolean true' | sudo debconf-set-selections; | |
echo 'pantos-service-node-full pantos/service-node/signer_key_password string 1234' | sudo debconf-set-selections; | |
echo 'pantos-service-node-full pantos/common/configure_postgresql boolean true' | sudo debconf-set-selections; | |
echo 'pantos-service-node-full pantos/common/configure_rabbitmq boolean true' | sudo debconf-set-selections; | |
echo 'pantos-service-node-full pantos/common/start_services boolean true' | sudo debconf-set-selections; | |
- name: Copy files from eth-data and bnb-data | |
run: | | |
sudo mkdir -p /etc/pantos | |
sudo chmod 777 /etc/pantos | |
# Get the task ID for the eth service | |
ETH_TASK_ID=$(docker ps --filter "name=stack-ethereum-contracts--1-eth" --format "{{.ID}}") | |
# Copy files from the eth service | |
docker cp $ETH_TASK_ID:/data/keystore /etc/pantos/keystore.eth | |
docker cp $ETH_TASK_ID:/data/ETHEREUM.env /etc/pantos/ETHEREUM.env | |
# Get the task ID for the bnb service | |
BNB_CHAIN_TASK_ID=$(docker ps --filter "name=stack-ethereum-contracts--1-bnb" --format "{{.ID}}") | |
# Copy files from the bnb service | |
docker cp $BNB_CHAIN_TASK_ID:/data/keystore /etc/pantos/keystore.bnb | |
docker cp $BNB_CHAIN_TASK_ID:/data/BNB_CHAIN.env /etc/pantos/BNB_CHAIN.env | |
working-directory: ethereum-contracts | |
- name: Set env | |
run: | | |
sudo cp ./service-node-config.local.env /etc/pantos/service-node-config.env | |
# Append the new addresses from the copied env files | |
sudo cat /etc/pantos/ETHEREUM.env | sudo tee -a /etc/pantos/service-node-config.env > /dev/null | |
sudo cat /etc/pantos/BNB_CHAIN.env | sudo tee -a /etc/pantos/service-node-config.env > /dev/null | |
sudo chmod 644 /etc/pantos/service-node-config.env | |
- name: Install Debian package | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y ./build/*.deb curl | |
# Check service is running | |
- name: Check service is running | |
timeout-minutes: 5 | |
run: | | |
# Wait for the service to start | |
while ! sudo systemctl is-active --quiet pantos-service-node-server; do | |
echo "Server is not running, retrying in 1 second." | |
sleep 1 | |
done | |
echo "Server is running" | |
while ! sudo systemctl is-active --quiet pantos-service-node-celery; do | |
echo "Celery is not running, retrying in 1 second." | |
sleep 1 | |
done | |
echo "Celery is running" | |
# Wait for curl to be positive | |
max_retries=60 | |
retries=0 | |
set +e | |
while [ $retries -lt $max_retries ]; do | |
response=$(curl -s --max-time 5 -o /dev/null -w '%{http_code}' 'http://localhost:8080/bids?source_blockchain=0&destination_blockchain=1') | |
exit_code=$? | |
if [ "$response" -eq 200 ]; then | |
echo "Received 200 response, exiting." | |
break | |
elif [ $exit_code -eq 28 ]; then | |
echo "Curl timed out, continuing to retry." | |
else | |
echo "Did not receive 200 response, retrying in 1 second." | |
fi | |
sleep 1 | |
retries=$((retries + 1)) | |
done | |
set -e | |
if [ $retries -eq $max_retries ]; then | |
echo "Max retries reached, exiting with failure." | |
exit 1 | |
fi | |
echo "Service is up and running" | |
- name: Print logs | |
if: always() | |
run: | | |
sudo systemctl status pantos-service-node-server || true | |
sudo systemctl status pantos-service-node-celery || true | |
sudo journalctl -u pantos-service-node-server || true | |
sudo journalctl -u pantos-service-node-celery || true | |
# Print the contents of every file in /var/log/pantos | |
sudo find /var/log/pantos -type f -exec sudo cat {} \; | |
- name: Fix permissions for upload | |
if: always() | |
run: | | |
sudo chmod -R 777 /var/log/pantos | |
sudo chmod -R 777 /etc/pantos | |
- name: Upload logs | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: install-logs-${{ matrix.os }} | |
path: /var/log/pantos | |
- name: Upload env config | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: env-config-${{ matrix.os }} | |
path: /etc/pantos | |
- name: Dump ethereum contract logs | |
if: always() | |
run: | | |
timeout 1 make docker-logs || true | |
working-directory: ethereum-contracts | |
e2e-tests: | |
name: E2E tests | |
needs: docker-build | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: ['amd64'] | |
env: | |
PANTOS_SERVICE_NODE: ${{ github.workspace }}/servicenode | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
path: ${{ env.PANTOS_SERVICE_NODE }} | |
sparse-checkout: | | |
docker-compose.yml | |
docker-compose.override.yml | |
service-node-config.docker.env | |
Makefile | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: docker-images-${{ matrix.arch }} | |
path: export | |
- name: Load images | |
run: | | |
cat export/app.tar | docker import - pantosio/service-node-app:local | |
cat export/worker.tar | docker import - pantosio/service-node-worker:local | |
- uses: pantos-io/e2e-testing/.github/actions/run-tests@main | |
with: | |
servicenode-path: ${{ env.PANTOS_SERVICE_NODE }} | |
servicenode-version: 'local' |